Forum Discussion
CirrostratusUsing LTM for network forwarding
Our data center architecture has a pretty standard model, with an "internal" network and a "DMZ". Our internal network does not have a direct route to the Internet. However, I have LTMs in our DMZ that can access the Internet directly. We have a server in our internal network running Microsoft Office 365 "Hybrid services" that needs to access a number of Microsoft Office 365 public networks, and I am being asked to facilitate this connectivity with our LTM. But given my lack of networking knowledge, I don't quite understand how I might configure the LTM to do this. I get a bit lost when it comes to how the different VS types function.
I was hoping someone might be able to help me understand at a high lievel what we would need to do in our network gear, and on the LTM, to enable this communication?
57 Replies
Thomas_Gobet_91Creating a wildcard VS is not only made to inbound traffic.
Depending on which VLAN you're listening to, it can forward traffic coming from "Internal" VLAN to "External" VLAN. (outbound traffic)
What you have to check is :
1. Does your firewall allow your BIG-IP to go on Internet ?1.a) If it's not, is there an IP in DMZ that your F5 can use to SNAT your Microsoft server ?
1.b) If it is, you can use virtual server with SNAT Automap.
smp_86112First, thanks for sticking with me. Yes, our infrastructure does allow the LTM to get out to the Internet. The answer to both a) and b) is yes, I could do either. But the thing I am struggling first with is not how to get the LTM - > internet (that will come later), it's how to get the MS server to the LTM for a defined set of public Microsoft networks. Do we create routes on our internal router saying that the next hop for the public Microsoft networks is the LTM?
Thomas_GobetNimbostratus
Creating a wildcard VS is not only made to inbound traffic.
Depending on which VLAN you're listening to, it can forward traffic coming from "Internal" VLAN to "External" VLAN. (outbound traffic)
What you have to check is :
1. Does your firewall allow your BIG-IP to go on Internet ?1.a) If it's not, is there an IP in DMZ that your F5 can use to SNAT your Microsoft server ?
1.b) If it is, you can use virtual server with SNAT Automap.- smp_86112First, thanks for sticking with me. Yes, our infrastructure does allow the LTM to get out to the Internet. The answer to both a) and b) is yes, I could do either. But the thing I am struggling first with is not how to get the LTM - > internet (that will come later), it's how to get the MS server to the LTM for a defined set of public Microsoft networks. Do we create routes on our internal router saying that the next hop for the public Microsoft networks is the LTM?
- Thomas_Gobet
No what you have to do is to define multiples routes for each network but it will be on your server never on your internal router.
You can also define the BIG-IP internal Self-IP (or floating) as the default gateway of you Microsoft Server.
- smp_86112> You can also define the BIG-IP internal Self-IP (or floating) as the default gateway of you Microsoft Server. This would effectively mean moving the server to a VLAN in the DMZ, which is really the right solution but unfortunately isn't one of my options. > No what you have to do is to define multiples routes for each network but it will be on your server never on your internal router Are you just saying that yes we will need to create static routes, just on the server itself instead of the router?
- Thomas_Gobet_91
No what you have to do is to define multiples routes for each network but it will be on your server never on your internal router.
You can also define the BIG-IP internal Self-IP (or floating) as the default gateway of you Microsoft Server.
- smp_86112> You can also define the BIG-IP internal Self-IP (or floating) as the default gateway of you Microsoft Server. This would effectively mean moving the server to a VLAN in the DMZ, which is really the right solution but unfortunately isn't one of my options. > No what you have to do is to define multiples routes for each network but it will be on your server never on your internal router Are you just saying that yes we will need to create static routes, just on the server itself instead of the router?
- Thomas_Gobet_91
Perhaps I've missed something but is your Microsoft server on the same network than Internal VLAN on f5?
- smp_86112If I understand your question correctly, no, the MS server is not in an internal F5 VLANs. Our F5 services VLANs in our DMZ, but the server is in our internal network.
- Thomas_Gobet
Perhaps I've missed something but is your Microsoft server on the same network than Internal VLAN on f5?
- smp_86112If I understand your question correctly, no, the MS server is not in an internal F5 VLANs. Our F5 services VLANs in our DMZ, but the server is in our internal network.
- Thomas_Gobet
So you can't define a static route directly from your Microsoft server. You have to define a route on your internal router.
I can suggest you to make a Policy Based Routing (PBR) it will avoid you to change a lot of thing on your configuration.
For sure your problem isn't part of your F5 configuration.- smp_86112Sorry, but I don't understand what PBR means or what the implications are. What I really need to understand is whether or not the F5 can facilitate this communication, and if so, how would I do it? It's not really my decision about how much work is too much - I just need to communicate what I would need to do. But I'm still unsure about that. If we configured our internal routing infrastructure to point each of the published Microsoft networks at our F5, could I create IP Forwarding Virtual Servers for each of those networks and enable SNAT? I realize the complexity and the amount of Virtual Servers that would need, but technically speaking would that work?
- Thomas_Gobet_91
So you can't define a static route directly from your Microsoft server. You have to define a route on your internal router.
I can suggest you to make a Policy Based Routing (PBR) it will avoid you to change a lot of thing on your configuration.
For sure your problem isn't part of your F5 configuration.- smp_86112Sorry, but I don't understand what PBR means or what the implications are. What I really need to understand is whether or not the F5 can facilitate this communication, and if so, how would I do it? It's not really my decision about how much work is too much - I just need to communicate what I would need to do. But I'm still unsure about that. If we configured our internal routing infrastructure to point each of the published Microsoft networks at our F5, could I create IP Forwarding Virtual Servers for each of those networks and enable SNAT? I realize the complexity and the amount of Virtual Servers that would need, but technically speaking would that work?
- Thomas_Gobet
What you need to do is to add a route on your internal router.
Traffic coming from your Microsoft server has to be routed to your BIG-IP.
Then once it will be done, you will have to create a forwarding virtual server and enable SNAT.
Be careful your BIG-IP has to know how it can reach the Microsoft server. You can add a static route pointing to your internal router, or you can enable auto last hop.Even if it's not the best solution, it's possible to make it work.
- smp_86112
Yes, the F5 can reach both the internal server and the public internet cloud. So assuming we have routes on our internal router for all these public cloud networks pointing at our F5, I'm trying to understand all the various forwarding configuration options I've got. It sounds like I could create a forwarding VS for each corresponding public cloud network and enable SNAT. Painful, but possible. Based on a comment above, it sounds like I could apply an iRule to my existing wildcard VS and SNAT traffic with a destination of these public internet clouds. I don't want to do this either, but possible. Are there other VS types or properties on the F5 that would allow this internal server to get out to a public network?
If the connection was point-to-point, this would be simple. The kicker for me is that the destination is a network, not a single endpoint. That throws a non-networking guy like me for a loop.
